Traditional identity management systems are based on centralized authorities such as corporate directory services, certificate authorities, or domain name registries. Each of the centralized authorities may serve as a root of trust that provides credibility to the identity it endorses. For such systems, data associated with the identities is often stored in centralized databases, if not traditional information storage media. The maintenance of identity of each person or entity is under the control of the centralized authorities. Given its nature, traditional identity management systems are subject to security risks suffered by each of the centralized authorities and provide inefficient mechanisms for the aggregation of identities or credentials provided by different centralized authorities. In such systems, individual entities or identity owners are often neither free to choose the root of trust nor in control over their own identities or credentials. Authentication and verification of their identities often prove to be inefficient.
Cross-entity authentication presents additional challenges. Cross-entity authentication requires different authorities to share user identity information. For example, to allow a first authority to authenticate a user based on the user's registration with a second authority, the second authority may need to share the user's identity and authentication information to the first authority. Traditional cross-authentication systems are often exposed to issues such as security vulnerabilities, privacy leakage, user-unfriendliness, complicated notification and authorization, workflow inefficiency, etc. In most cases, different authorities often find the lack of a common protocol to interface with each other for cross-authenticating users. For example, user authentication information may be spread outside a secure environment risking the user for identity theft. For another example, non-essential user information may be provided with essential information to other authorities for cross-entity authentication giving away user privacy. For yet another example, authorities and users have to undergo numerous layers of authorizations and security checks which makes the system inconvenient and unscalable.
Blockchain technology provides an opportunity to establish a trustworthy decentralized system that does not require trust in each member of the system. Blockchain provides data storage in a decentralized fashion by keeping the data in a series of data blocks having precedence relationship between each other. The chain of blocks is maintained and updated by a network of blockchain nodes, which are also responsible for validating data under a consensus scheme. The stored data may include many data types, such as financial transactions among parties, historical access information, etc.
Many blockchains (e.g., the Ethereum blockchain) have enabled blockchain contracts (also referred to as smart contracts) that are executed through blockchain transactions. Blockchain transactions are signed messages originated by externally owned accounts (e.g., blockchain accounts), transmitted by the blockchain network, and recorded in the blockchain. The blockchain contracts may be written to achieve various functions, such as adding data to blockchain accounts, changing data in the blockchain, etc. Thus, the blockchain can be maintained and updated by executing various blockchain transactions.
Blockchain technology provides the means for managing a root of trust without centralized authority. However, identity management systems built based on blockchain often present substantive technical barriers for average users by requiring storage of a blockchain ledger, capabilities to create and execute blockchain transactions and contracts, or participation in the consensus scheme of the blockchain. Such identity management systems also likely require frequent access to and interaction with the blockchain network, which may be costly and resource consuming. For business entities with the needs to manage identities for a large number of users, such identity management systems often prove to be inefficient and user-unfriendly. Mapping between identities managed by such an identity management system and accounts or service IDs kept by business entities are often difficult to maintain. Finally, the identity management systems may often allow anonymous and arbitrary creation of decentralized identities and provide little means to authenticate the real-world identities of the individuals behind the decentralized identities.